PrefectHQ Prefect GitRepository Argument Injection Vulnerability

A vulnerability allowing argument injection has been identified in PrefectHQ Prefect versions prior to 3.6.25.dev6. The issue resides in the GitRepository Pull Handler, specifically within the file src/prefect/runner/storage.py. The vulnerability arises because the constructor of GitRepository accepts commit_sha and directories parameters without proper validation, allowing values that start with '-' to be interpreted as git command flags. This injection can be exploited remotely, with the potential for denial-of-service or, under certain conditions, pre-authentication remote code execution on the server hosting the git repository.

Impact

Exploitation of this vulnerability leads to reliable denial-of-service by causing the git sparse-checkout command to hang indefinitely when certain injected arguments are used. Additionally, it allows for injection of git command flags that could be exploited for remote code execution, depending on the git repository's configuration and the nature of the injected command.

Reproduction

The vulnerability can be reproduced by installing Prefect version 3.6.24, which is vulnerable, and then using a Python script to create a GitRepository instance with malicious commit_sha and directories arguments. The script can demonstrate the vulnerability by showing how the injected arguments are passed to git commands, causing a denial-of-service condition.

Remediation

Users are advised to upgrade to Prefect version 3.6.25 or later, where this vulnerability has been fixed.